Forever 21 reports on investigation into payment card security breach

Forever 21 has released the results of its investigation into the payment card security incident reported in October 2017, revealing a range of breaches including the presence of malware on some point-of-sale (POS) devices.

Forever 21 launched its investigation after reports of unauthorized access to payment card data made in October 2017 - Forever 21

The investigation, for which the LA-based fashion retailer enlisted the help of leading firms specializing in payment technology and data security, determined that encryption technology was not always activated on some POS devices.

Breaches involving unauthorized network access and the presence of malware designed to find payment card data on POS devices were also revealed. The malware searched for payment card track data and, in most cases, only discovered card number, expiration date and internal verification code, but occasionally the cardholder name was also accessed.

Incidents reported occurred in the period April 3, 2017 to November, 2017. However, due to the use of a device that keeps a log of completed payment card transaction authorizations in Forever 21 stores, data stored before April 2017 could still have been accessed at points of sale where the logging device was also affected by malware.

The brand underlined that the malware incidents only affected some devices in certain stores, but advised consumers to immediately contact their card issuer should they have any doubts concerning unauthorized payments.

In a release, Forever 21 assured consumers that the company "has been working with its payment processors, POS device provider, and third-party experts to address the operation of encryption on the POS devices in all Forever 21 stores,” and pledged to improve other security measures with the assistance of security firms.

The brand also stated that it would continue to cooperate with payment card networks and law enforcement agencies in their respective investigations.

As Forever 21 stores outside of the US use different payment processors, the brand highlighted that investigations are still ongoing to determine whether any of these points of sale have been subject to payment security breaches.

Cards used in purchases made on the brand’s website have not been affected.

Forever 21’s payment processing system has been protected by encryption technology since 2015. The company launched its investigation after a third party reported that there may have been unauthorized access to data relating to payment cards used in some of the brand’s stores last October.

Founded in Los Angeles, California, in 1984, Forever 21 operates in 57 countries through a network of over 815 stores.